News

I’m migrating some self-hosted virtual machines to Trisquel, and noticed that Trisquel does not offer cloud-images similar to the Debian Cloud and Ubuntu Cloud images. Thus my earlier approach based on virt-install --cloud-init and cloud-localds does not work with Trisquel. While I hope that Trisquel will eventually publish cloud-compatible images, I wanted to document an alternative approach for Trisquel based on preseeding. This is how I used to install Debian and Ubuntu in the old days, and the automated preseed method is best documented in the Debian installation manual. I was hoping to forget about the preseed format, but maybe it will become one of those legacy technologies that never really disappears? Like FAT16 and 8-bit microcontrollers.

Below I assume you have a virtual machine host server up that runs libvirt and has virt-install and similar tools; install them with the following command. I run a pre-release version of Trisquel 11 aramo on my VM-host, but I believe any recent dpkg-based distribution like Trisquel 9/10, PureOS 10, Debian 11 or Ubuntu 20.04/22.04 would work.

apt-get install libvirt-daemon-system virtinst genisoimage cloud-image-utils osinfo-db-tools

The approach can install Trisquel 9 (etiona), Trisquel 10 (nabia) and the pre-release of Trisquel 11. First download and verify the integrity of the netinst images that we will need. Unfortunately the Trisquel 11 netinst beta image does not have any checksum or signature available.

mkdir -p /root/iso
cd /root/iso
wget -q https://mirror.fsf.org/trisquel-images/trisquel-netinst_9.0.2_amd64.iso
wget -q https://mirror.fsf.org/trisquel-images/trisquel-netinst_9.0.2_amd64.iso.asc
wget -q https://mirror.fsf.org/trisquel-images/trisquel-netinst_9.0.2_amd64.iso.sha256
wget -q https://mirror.fsf.org/trisquel-images/trisquel-netinst_10.0.1_amd64.iso
wget -q https://mirror.fsf.org/trisquel-images/trisquel-netinst_10.0.1_amd64.iso.asc
wget -q https://mirror.fsf.org/trisquel-images/trisquel-netinst_10.0.1_amd64.iso.sha256
wget -q -O- https://archive.trisquel.info/trisquel/trisquel-archive-signkey.gpg | gpg --import
sha256sum -c trisquel-netinst_9.0.2_amd64.iso.sha256
gpg --verify trisquel-netinst_9.0.2_amd64.iso.asc
sha256sum -c trisquel-netinst_10.0.1_amd64.iso.sha256
gpg --verify trisquel-netinst_10.0.1_amd64.iso.asc
wget -q https://cdbuilds.trisquel.org/aramo/trisquel-netinst_11.0-20221225_amd64.iso
echo '179566639ca8f14f0c3d5658209c59a0916d9e3bf9c026660cc07b28f2311631  trisquel-netinst_11.0-20221225_amd64.iso' | sha256sum -c

I have developed the following fairly minimal preseed file that works with all three Trisquel releases. Compare it against the official Trisquel 11 preseed skeleton and the Debian 11 example preseed file. You should modify obvious things like SSH key, host/IP settings, partition layout and decide for yourself how to deal with passwords. While Ubuntu/Trisquel usually wants to setup a user account, I prefer to login as root hence setting ‘passwd/root-login‘ to true and ‘passwd/make-user‘ to false.

root@trana:~# cat>trisquel.preseed 
d-i debian-installer/locale select en_US
d-i keyboard-configuration/xkb-keymap select us

d-i netcfg/choose_interface select auto
d-i netcfg/disable_autoconfig boolean true

d-i netcfg/get_ipaddress string 192.168.10.201
d-i netcfg/get_netmask string 255.255.255.0
d-i netcfg/get_gateway string 192.168.10.46
d-i netcfg/get_nameservers string 192.168.10.46

d-i netcfg/get_hostname string trisquel
d-i netcfg/get_domain string sjd.se

d-i clock-setup/utc boolean true
d-i time/zone string UTC

d-i mirror/country string manual
d-i mirror/http/hostname string ftp.acc.umu.se
d-i mirror/http/directory string /mirror/trisquel/packages
d-i mirror/http/proxy string

d-i partman-auto/method string regular
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
d-i partman-basicfilesystems/no_swap boolean false
d-i partman-auto/expert_recipe string myroot :: 1000 50 -1 ext4 
     $primary{ } $bootable{ } method{ format } 
     format{ } use_filesystem{ } filesystem{ ext4 } 
     mountpoint{ / } 
    .
d-i partman-auto/choose_recipe select myroot

d-i passwd/root-login boolean true
d-i user-setup/allow-password-weak boolean true
d-i passwd/root-password password r00tme
d-i passwd/root-password-again password r00tme
d-i passwd/make-user boolean false

tasksel tasksel/first multiselect
d-i pkgsel/include string openssh-server

popularity-contest popularity-contest/participate boolean false

d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
d-i grub-installer/bootdev string default

d-i finish-install/reboot_in_progress note

d-i preseed/late_command string mkdir /target/root/.ssh ; echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE cardno:FFFE67252015 > /target/root/.ssh/authorized_keys
^D
root@trana:~# 

Use the file above as a skeleton for preparing a VM-specific preseed file as follows. The environment variables HOST and IPS will be used later on too.

root@trana:~# HOST=foo
root@trana:~# IP=192.168.10.197
root@trana:~# sed -e "s,get_ipaddress string.*,get_ipaddress string $IP," -e "s,get_hostname string.*,get_hostname string $HOST," < trisquel.preseed > vm-$HOST.preseed
root@trana:~# 

The following script is used to prepare the ISO images with the preseed file that we will need. This script is inspired by the Debian Wiki Preseed EditIso page and the Trisquel ISO customization wiki page. There are a couple of variations based on earlier works. Paths are updated to match the Trisquel netinst ISO layout, which differ slightly from Debian. We modify isolinux.cfg to boot the auto label without a timeout. On Trisquel 11 the auto boot label exists, but on Trisquel 9 and Trisquel 10 it does not exist so we add it in order to be able to start the automated preseed installation.

root@trana:~# cat gen-preseed-iso 
#!/bin/sh

# Copyright (C) 2018-2022 Simon Josefsson -- GPLv3+
# https://wiki.debian.org/DebianInstaller/Preseed/EditIso
# https://trisquel.info/en/wiki/customizing-trisquel-iso

set -e
set -x

ISO="$1"
PRESEED="$2"
OUTISO="$3"
LASTPWD="$PWD"

test -f "$ISO"
test -f "$PRESEED"
test ! -f "$OUTISO"

TMPDIR=$(mktemp -d)
mkdir "$TMPDIR/mnt"
mkdir "$TMPDIR/tmp"

cp "$PRESEED" "$TMPDIR"/preseed.cfg
cd "$TMPDIR"

mount "$ISO" mnt/
cp -rT mnt/ tmp/
umount mnt/

chmod +w -R tmp/
gunzip tmp/initrd.gz
echo preseed.cfg | cpio -H newc -o -A -F tmp/initrd
gzip tmp/initrd
chmod -w -R tmp/

sed -i "s/timeout 0/timeout 1/" tmp/isolinux.cfg
sed -i "s/default vesamenu.c32/default auto/" tmp/isolinux.cfg

if ! grep -q auto tmp/adtxt.cfg; then
    cat<<EOF >> tmp/adtxt.cfg
label auto
	menu label ^Automated install
	kernel linux
	append auto=true priority=critical vga=788 initrd=initrd.gz --- quiet
EOF
fi

cd tmp/
find -follow -type f | xargs md5sum  > md5sum.txt
cd ..

cd "$LASTPWD"

genisoimage -r -J -b isolinux.bin -c boot.cat 
            -no-emul-boot -boot-load-size 4 -boot-info-table 
            -o "$OUTISO" "$TMPDIR/tmp/"

rm -rf "$TMPDIR"

exit 0
^D
root@trana:~# chmod +x gen-preseed-iso 
root@trana:~# 

Next run the command on one of the downloaded ISO image and the generated preseed file.

root@trana:~# ./gen-preseed-iso /root/iso/trisquel-netinst_10.0.1_amd64.iso vm-$HOST.preseed vm-$HOST.iso
+ ISO=/root/iso/trisquel-netinst_10.0.1_amd64.iso
+ PRESEED=vm-foo.preseed
+ OUTISO=vm-foo.iso
+ LASTPWD=/root
+ test -f /root/iso/trisquel-netinst_10.0.1_amd64.iso
+ test -f vm-foo.preseed
+ test ! -f vm-foo.iso
+ mktemp -d
+ TMPDIR=/tmp/tmp.mNEprT4Tx9
+ mkdir /tmp/tmp.mNEprT4Tx9/mnt
+ mkdir /tmp/tmp.mNEprT4Tx9/tmp
+ cp vm-foo.preseed /tmp/tmp.mNEprT4Tx9/preseed.cfg
+ cd /tmp/tmp.mNEprT4Tx9
+ mount /root/iso/trisquel-netinst_10.0.1_amd64.iso mnt/
mount: /tmp/tmp.mNEprT4Tx9/mnt: WARNING: source write-protected, mounted read-only.
+ cp -rT mnt/ tmp/
+ umount mnt/
+ chmod +w -R tmp/
+ gunzip tmp/initrd.gz
+ echo preseed.cfg
+ cpio -H newc -o -A -F tmp/initrd
5 blocks
+ gzip tmp/initrd
+ chmod -w -R tmp/
+ sed -i s/timeout 0/timeout 1/ tmp/isolinux.cfg
+ sed -i s/default vesamenu.c32/default auto/ tmp/isolinux.cfg
+ grep -q auto tmp/adtxt.cfg
+ cat
+ cd tmp/
+ find -follow -type f
+ xargs md5sum
+ cd ..
+ cd /root
+ genisoimage -r -J -b isolinux.bin -c boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -o vm-foo.iso /tmp/tmp.mNEprT4Tx9/tmp/
I: -input-charset not specified, using utf-8 (detected in locale settings)
Using GCRY_000.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/gcry_sha512.mod (gcry_sha256.mod)
Using XNU_U000.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/xnu_uuid.mod (xnu_uuid_test.mod)
Using PASSW000.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/password_pbkdf2.mod (password.mod)
Using PART_000.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/part_sunpc.mod (part_sun.mod)
Using USBSE000.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/usbserial_pl2303.mod (usbserial_ftdi.mod)
Using USBSE001.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/usbserial_ftdi.mod (usbserial_usbdebug.mod)
Using VIDEO000.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/videotest.mod (videotest_checksum.mod)
Using GFXTE000.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/gfxterm_background.mod (gfxterm_menu.mod)
Using GCRY_001.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/gcry_sha256.mod (gcry_sha1.mod)
Using MULTI000.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/multiboot2.mod (multiboot.mod)
Using USBSE002.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/usbserial_usbdebug.mod (usbserial_common.mod)
Using MDRAI000.MOD;1 for  /tmp/tmp.mNEprT4Tx9/tmp/boot/grub/x86_64-efi/mdraid09.mod (mdraid09_be.mod)
Size of boot image is 4 sectors -> No emulation
 22.89% done, estimate finish Thu Dec 29 23:36:18 2022
 45.70% done, estimate finish Thu Dec 29 23:36:18 2022
 68.56% done, estimate finish Thu Dec 29 23:36:18 2022
 91.45% done, estimate finish Thu Dec 29 23:36:18 2022
Total translation table size: 2048
Total rockridge attributes bytes: 24816
Total directory bytes: 40960
Path table size(bytes): 64
Max brk space used 46000
21885 extents written (42 MB)
+ rm -rf /tmp/tmp.mNEprT4Tx9
+ exit 0
root@trana:~#

Now the image is ready for installation, so invoke virt-install as follows. The machine will start directly, launching the preseed automatic installation. At this point, I usually click on the virtual machine in virt-manager to follow screen output until the installation has finished. If everything works OK the machines comes up and I can ssh into it.

root@trana:~# virt-install --name $HOST --disk vm-$HOST.img,size=5 --cdrom vm-$HOST.iso --osinfo linux2020 --autostart --noautoconsole --wait
Using linux2020 default --memory 4096

Starting install...
Allocating 'vm-foo.img'                                                                                                                                |    0 B  00:00:00 ... 
Creating domain...                                                                                                                                     |    0 B  00:00:00     

Domain is still running. Installation may be in progress.
Waiting for the installation to complete.
Domain has shutdown. Continuing.
Domain creation completed.
Restarting guest.
root@trana:~# 

There are some problems that I have noticed that would be nice to fix, but are easy to work around. The first is that at the end of the installation of Trisquel 9 and Trisquel 10, the VM hangs after displaying Sent SIGKILL to all processes followed by Requesting system reboot. I kill the VM manually using virsh destroy foo and start it up again using virsh start foo. For production use I expect to be running Trisquel 11, where the problem doesn’t happen, so this does not bother me enough to debug further. The remaining issue that once booted, a Trisquel 11 VM has lost its DNS nameserver configuration, presumably due to poor integration with systemd-resolved. Both Trisquel 9 and Trisquel 10 uses systemd-resolved where DNS works after first boot, so this appears to be a Trisquel 11 bug. You can work around it with rm -f /etc/resolv.conf && echo 'nameserver A.B.C.D' > /etc/resolv.conf or drink the systemd Kool-Aid. If you want to clean up and re-start the process, here is how you wipe out what you did. After this, you may run the sed, ./gen-preseed-iso and virt-install commands again. Remember, use virsh shutdown foo to gracefully shutdown a VM.

root@trana:~# virsh destroy foo
Domain 'foo' destroyed

root@trana:~# virsh undefine foo --remove-all-storage
Domain 'foo' has been undefined
Volume 'vda'(/root/vm-foo.img) removed.

root@trana:~# rm vm-foo.*
root@trana:~# 

Happy hacking on your virtal machines!

A rant about “year of Linux on the desktop” from a tired old man. I’ve been part of the Linux community since before Linux was called Linux. Over the years there’s been many people telling me directly that Linux is silly or wrong or imperfect, or that free and open source software is foolish or pointless. A lot more people have, of course, pontificated along those lines in public, and not directed it at me. I’m not claiming to be targeted at that, but I’ve been around and active for long enough that things accumulate. It’s the end of a long year for me, and I though I’d let off some steam myself. Hence this rant. Over time, the goal posts of success keep being moved by the naysayers. I’m too tired to dig up all important milestones and dates, or references, but here’s highlights of the timeline as I have experienced it (years may be a little off). The most popular operating system in the world by a huge margin, and yet, it still gets ridiculed by users of platforms that still have to manually install drivers and update applications by hand while getting spied on left, right, and centre. Strange times we live in.

Afghan Professor Tears Up Certificate To Protest Against Banning Women From Universities.

Argus News is Odisha’s fastest-growing news channel having its presence on satellite TV and various web platforms. Watch the latest news updates LIVE on matters related to education & employment, health & wellness, politics, sports, business, entertainment, and more. Argus News is setting new standards for journalism through its differentiated programming, philosophy, and tagline ‘Satyara Sandhana’.

To stay updated on-the-go,

Visit Our Official Website: https://www.argusnews.in/
iOS App: http://bit.ly/ArgusNewsiOSApp
Android App: http://bit.ly/ArgusNewsAndroidApp
Live TV: https://argusnews.in/live-tv/
Facebook: https://www.facebook.com/argusnews.in
Youtube : https://www.youtube.com/c/TheArgusNew…
Twitter: https://twitter.com/ArgusNews_in
Instagram: https://www.instagram.com/argusnewsin

Argus News Is Available on:
TataPlay channel No – 1780
Airtel TV channel No – 609
Dish TV channel No – 1369
d2h channel No – 1757
SITI Networks HYD – 12
Hathway – 732
GTPL KCBPL – 713
SITI Networks Kolkata – 460
& other Leading Cable Networks

You Can WhatsApp Us Your News On- 8480612900

#Afghanistan #Taliban #girls #students #study #ArgusNews

Em entrevista ao Jornal da Manhã, da Jovem Pan News, o secretário da Fazenda de São Paulo, Felipe Salto, explica quais os impactos da PEC da Transição aos cofres públicos. Assista ao Jornal da Manhã completo: https://youtu.be/Rjap9oA4BqE

Baixe o app Panflix: https://www.panflix.com.br/

Baixe o AppNews Jovem Pan na Google Play
https://bit.ly/2KRm8OJ

Baixe o AppNews Jovem Pan na App Store
https://apple.co/3rSwBdh

Inscreva-se no nosso canal:
https://www.youtube.com/c/jovempannews

Entre no nosso site:
http://jovempan.com.br/

Facebook:
https://www.facebook.com/jovempannews

Siga no Twitter:
https://twitter.com/JovemPanNews

Instagram:
https://www.instagram.com/jovempannews/

#JovemPan
#JornalDaManhã

The end of the year is rapidly approaching, and Rafael Sadowski (rsadowski@) has published the OpenBSD KDE Status Report 2022.
The report leads in,

A lot has happened since the last OpenBSD KDE Status Report in 2021. Let’s split the report in four areas the good, the bad, the plasma and libinput.

and goes on to describe in some detail the work put in to update the KDE
ecosystem on our favorite operating system.

You can read the whole thing by following either link.

Find solutions to your Linux, Kubernetes, Ansible, and other systems problems in Enable Sysadmin’s top troubleshooting articles. Read More at Enable Sysadmin

The post Top 10 sysadmin troubleshooting guides of 2022 appeared first on Linux.com.

We received an audit on the new “index-v2” work in official Android client
app + API (3 days) and the new front end webserver setup (1 day). There
were no findings for the webserver setup, so the analysis in this post deals
with the F-Droid client app. The audit was conducted by Radically Open
Security, which is a natural partner
for F-Droid since they share a focus on free software and open processes.
Thanks to NLnet for finding the auditor and covering the
costs of hiring them. We are making the original report available for
download.

This post was written in the spirit of transparency with technical detail
about the risks of each vulnerability. We welcome further scrutiny. For
more information about F-Droid’s security practices, see the documentation
about the Security Model.

CLN-002 – XML parsers might be vulnerable to XXE attacks

• Vulnerability type: Input validation
• Threat level: Elevated

The application’s XML parser implementation might be vulnerable to XML
External Entity (XXE) attacks.

Impact

If the XML parser has no restrictions for external and internal entities,
then this might lead to arbitrary file disclosures or server-side request
forgery (SSRF) vulnerabilities when XML input is parsed.

Our Response

The original index file, the version 0 format, is an XML file generated as
part of any repo. It is available at either index.xml or the more recent
signed version at index.jar. Recent versions of the client will always
try index-v1.jar first, which is a signed JSON format. If that is not
available, the client will fallback to index.jar. index.jar is also
used for the “nearby” app swapping functionality. All of these index.jar
files must pass the signature verification before the XML is parsed.

Successful exploitation of this would require either a) the attacker was
able to get the target to add a malicious repo, or b) the attacker was able
to get the repo signing keys and then break into an existing repo’s server
and replace the index files. For example, a malicious actor could try to
exploit someone via Nearby app swapping, so only get apps from people you
trust. The way that the client is set up to parse the XML was vulnerable,
and would allow a successful attacker to read files that the F-Droid app can
read

For f-droid.org and the Guardian Project repo, the index files are
monitored, and changes to them are logged. So we can say with high
confidence that index-v1.jar was never removed, which is a prerequisite
for exploiting this vulnerability.

F-Droid client v1.15.4 disables all support for XML External Entities. The
v1.16-alpha0 no longer supports XML indexes at all, and all code related to
the XML index parsing and generation was removed. We will also be working
on improving the security of adding repos as part of the FFDW-DVD
funding.

CLN-005 – Vulnerable TLS versions accepted

• Vulnerability type: Insecure configuration
• Threat level: Elevated

The backend domains used by the application accept obsolete TLS 1.0 and TLS
1.1 protocols.

Impact

Use of TLS 1.0 and 1.1 make the communication susceptible to downgrade
attacks, as they work on SHA-1 hash for the integrity of exchanged
messages. The handshake authentication is also done on SHA-1, which makes it
easier for an attacker to impersonate a server for MITM attacks. The PCI DSS
(Payment Card Industry Data Security Standard) specifies that TLS 1.0 may no
longer be used as of June 30, 2018, and also strongly recommends disabling
1.1, so this may impact compliance with regulations.

Our Response

F-Droid places a high importance on maintaining compatibility as long as
possible. This is why we leave TLS 1.0 and TLS 1.1 enabled on our
websites. We believe there is no added risk for people who keep their
software updated. The F-Droid Client app does not allow TLS 1.1 or 1.0
connections. TLS 1.3 provides good downgrade protection, TLS 1.2 less. Any
reputable TLS implementation from the past years make it quite difficult to
force a connection to use TLS 1.0 or 1.1. Recent browser
releases
are entirely removing support for TLS 1.0 and 1.1 anyway. That means that
any browser or client version that connects over TLS 1.0 or 1.1 actually
needs that to function. A device running Android 1.6 should be able to
install an old version of F-Droid, and have a working app store.

If you are on a device that still needs to use TLS 1.0 or 1.1, then there
are already so many well known security vulnerabilities that this one is not
particularly interesting. If you would like to test whether your browser
still supports TLS 1.0 or 1.1, click on the links below and see if they give
you an error message.

• https://tls-v1-0.badssl.com:1010/
• https://tls-v1-1.badssl.com:1011/

CLN-001 – Encryption algorithms using insecure mode and padding scheme

• Vulnerability type: Weak Cryptography
• Threat level: Low

The encryption algorithms used in the app use an insecure mode and padding
scheme.

Impact

If sensitive data is being encrypted using an insecure mode and padding, it
might lead to data being stolen or recovered from the encrypted data.

Our Response

This was only ever used to sign the app index file used in the Nearby app
swapping, which only works over the local network. The signature is on a
short-lived file that is generated on the fly, and is almost always used in
a one-to-one interaction. A lot of other pieces would have to be in place
for this to be exploited. Plus it would require a fair amount of expense to
crack the cryptography on the file that was signed seconds or minutes
before, and probably will only be in use for around 10 minutes. Any app
updates received via Nearby swapping will still have the full protection of
the APK signature. For these reasons, it is also still safe to use the SHA1
algorithm, which is necessary here for compatibility. This use case falls
under the “second preimage
attack”
case, meaning that the attacker cannot affect the data before it is
signed. Git can also still rely on SHA1 for this reason.

F-Droid client v1.15.4 and v1.16-alpha1 switched from RSA/ECB/PKCS1Padding
to the standard SHA1withRSA algorithm for signing the Nearby index.jar.
The new “index-v2” for repositories added in v1.16-alpha0 uses
SHA256withRSA as the signing algorithm. The official client always starts
by trying the latest index version in each repository, and v1.16 added
downgrade protection so a repo that already offers index-v2 can’t be
downgraded to index-v1.

CLN-003 – Clear text traffic is enabled in the application

• Vulnerability type: Insecure configuration
• Threat level: Low

The base network config of the application allows clear-text traffic.

Impact

Allowing clear-text traffic impacts confidentiality, authenticity, and
protection against tampering. An attacker performing a machine-in-the-middle
attack can eavesdrop on transmitted data and modify it without being
detected.

Our Response

This Android feature for blocking clear text HTTP connections is a good
feature that apps should use. Having this disabled is obviously not ideal,
but it is something we had to do to support the local HTTP swap
functionality, and also HTTP .onion addresses in the past (there is another
workaround possible these days). So we have taken extra measures to enforce
HTTPS:

• All built-in repository URLs are hardcoded to
  HTTPS

• Popular cloud hosting for repos is forced to
  HTTPS

• The default user prompt for adding repos includes
  https://

This vulnerability applies to the exact same context as CLN-001: Nearby app
swapping. So it is already a quite limited environment for malicious actors
to operate in. This does not affect built-in repos at all, since they are
hard-coded to HTTPS. Plus good webserver setups like f-droid.org do not
allow data to be sent over plain HTTP.

CLN-004 – HTTP Request URLs are logged

• Vulnerability type: Information leakage
• Threat level: Low

The Android app (org.fdroid.fdroid.debug
ver. 1.14-alpha3-505-gc8514adb9-debug) logs URLs.

Impact

Logging sensitive information in the Android log is not a recommended
practice as this information can (in some scenarios) be accessed by other
applications on the same device. URLs can contain tokens or other sensitive
data which might be logged, leading to the disclosure of that data to other
apps.

Our Response

Privacy is important, and we want to ensure that any potentially private
information is not leaked, even at the cost of easier debugging or service
analytics. So we appreciate the auditor’s level of attention in reporting
this issue and have removed the URLs from the logging on release builds.

This vulnerability does not affect the security of operations. Many web
services put private tokens in URLs, and logging those would be like leaking
clear text passwords. All the well known repositories including f-droid.org
are run as a static website, so there are no user accounts. The issue here is
if someone got the “logcat” text, which is generally protected in Android,
and apps cannot simply read the text anymore. One potential leak scenario
would be if someone installed a sensitive app, then uninstalled it. That
app install and uninstall would be listed in the log, available if the user
was compelled to provide that log, or if the device was exploited to get
access to protected data.

This will be fixed
in the final v1.16 release.

(This work was funded by NLnet under an ongoing project known as Tracking
the Trackers and The Search
for Ethical Apps under the umbrella
of Guardian
Project)

▷▷ABONNEZ-VOUS ICI : https://bit.ly/2EcXtOL
Activez les NOTIFICATIONS pour ne pas manquer les prochaines vidéos
Retrouvez-nous sur https://www.SeneNews.com
Téléchargez notre App Android : http://bit.ly/2zzUxto
Téléchargez notre App sur IOS : http://apple.co/2zQjAco
Suivez nous sur Twitter : https://twitter.com/Senenews
Suivez nous sur Facebook : http://bit.ly/2zPqJJQ

Os preparativos para a posse de Luiz Inácio Lula da Silva (PT) entram em fase final a quatro dias da cerimônia, que ocorre no próximo domingo (01). Ao longo da Esplanada dos Ministérios, é possível ver a estrutura do evento tomando forma. Enquanto isso, no entanto, cresce a tensão em torno da segurança do público e do próprio presidente eleito frente aos recentes episódios de violência causados por bolsonaristas insatisfeitos com o resultado das eleições. Assista ao Jornal da Manhã completo: https://youtu.be/frYUi2AU0dA

Baixe o app Panflix: https://www.panflix.com.br/

Baixe o AppNews Jovem Pan na Google Play
https://bit.ly/2KRm8OJ

Baixe o AppNews Jovem Pan na App Store
https://apple.co/3rSwBdh

Inscreva-se no nosso canal:
https://www.youtube.com/c/jovempannews

Entre no nosso site:
http://jovempan.com.br/

Facebook:
https://www.facebook.com/jovempannews

Siga no Twitter:
https://twitter.com/JovemPanNews

Instagram:
https://www.instagram.com/jovempannews/

#JovemPan
#JornalDaManhã

China has announced that it will open its borders for International travel from January and also relaxed the Covid-19 guidelines for the passengers coming in the country. UAE has relaxed its norms for the Golden visa.

#GoldenVisa #RishiSunak #Covid19